Istio添加的XFCC头不包含客户端证书

Question

我已经在page中尝试了以下配置。

apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
spec:
  meshConfig:
    defaultConfig:
      gatewayTopology:
        forwardClientCertDetails: ALWAYS_FORWARD_ONLY

如果我使用httpbin服务通过发送一个带有客户端证书的请求来测试，如下所示：

curl -v https://<my-FQDN>/headers --cacert CAcert.pem --cert client.pem --key client.key.pem

然后，在响应中，我看到XFCC头中只有入口网关证书。我没有在XFCC头中看到客户端证书。

  "headers": {
    "Accept": "*/*",
    "Content-Length": "0",
    "Host": "<my-FQDN>",
    "User-Agent": "curl/7.60.0",
    "X-B3-Parentspanid": "535ccd58be2707d1",
    "X-B3-Sampled": "0",
    "X-B3-Spanid": "859fe154b4b4f732",
    "X-B3-Traceid": "c3a2d51fe8843dfa535ccd58be2707d1",
    "X-Custom-Client-Ip": "xxx.xxx.xxx.xxx",
    "X-Envoy-Attempt-Count": "1",
    "X-Envoy-External-Address": "xxx.xxx.xxx.xxx",
    "X-Forwarded-Client-Cert": "By=spiffe://cluster.local/ns/default/sa/httpbin;Hash=be931817624826a918707c148730ee0338b6aaa5e21a27c78b1abeafead6fd04;Subject=\"CN=istio-ingressgateway.istio-system.svc.cluster.local,C=US,OU=MGMT,O=XXXXX\";URI=spiffe://cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account"
  }

如何在XFCC头中添加客户端证书？

Answer 1

也许ALWAYS_FORWARD_ONLY意味着现有的XFCC报头将被转发。你试过APPEND_FORWARD吗？